Without an online presence an organization doesn’t exist, and having a website is just the baseline. Today, an organization’s Internet presence has expanded to include other digital channels. Companies of all sizes are actively using social media to engage with customers and build loyalty for their brand. Of the Fortune 500 companies, 98 percent use LinkedIn and 88 percent have a presence on Twitter, while more than 70 percent of small businesses use some type of social platform.
The Internet is an essential tool to grow your business, but it also poses digital risks to your brand reputation and integrity through the following key ways:
Online brand and social media abuse: Bad actors can spoof social media profiles of your company or brands, as well as take advantage of employee activity such as oversharing information about your brand or organization on social media. Spoofed profiles may look so legitimate that even some employees cannot determine if they are real or not. Such profiles can easily dupe individuals to purchase counterfeit products and input credit card data and credentials.
Malicious web domains: Cyber criminals will register and use web domains extremely similar to your actual domain names. Using techniques like typosquatting where an “m” is replaced with an “rn” in a URL, or domain squatting where shoestore.com becomes shoestore.io, it is easy to miss the distinction. When individuals unknowingly enter an incorrect address into a web browser, they are redirected to another URL. The content of the site mirrors the legitimate site, aside from lacking some functionality, and appears genuine to casual users who proceed to enter their user names and passwords.
Fraudulent mobile applications: Threat actors will take advantage of out-of-date mobile applications that you no longer maintain or will even create one for you that passes for a legitimate application. Malicious apps that impersonate brands may use spyware to steal information from users, ranging from banking information to login credentials.
Each of these methods are used to trick customers and employees to unknowingly hand over valuable data. This data is then used for profit by the attackers or sold online for others to do what they will. So, what can you do to protect your hard-earned brand and reputation?
When we think about illegal, online trade we naturally think of the dark web. However, as I’ve written previously, criminal activity isn’t limited to the dark web. It is an Internet-wide problem, and we may even see an uptick in activity on the open and deep web since Operation Bayonet and the takedowns of AlphaBay and Hansa. That’s why its important to monitor your brand names, web domain names and mobile applications across the open, deep and dark web.
It is also important to note that brand impersonation sits at the intersection of security and marketing. The most effective brand protection programs harness the knowledge of both teams to develop processes and playbooks to identify, stop and recover from incidents and facilitate process change as needed.
As you develop a brand protection program, here are five concrete things you can do now to proactively identify and mitigate risk to your brand.
1. Identify spoof domains. Freely available tools like DNStwist on GitHub can identify permutations of your domains to detect typosquatting. WHOis.net allows you to look up domains and find out who is registering them and if the domains are live. These tools help you stay ahead of bad actors and have spoof domains taken down before they become scam pages.
2. Look for mentions on criminal sites. Dark web sites have a .onion URL. Tools like OnionScan can help you search to see if your brand is being mentioned on criminal sites so that you can work with law enforcement to take action if required.
3. Track mentions of sensitive keywords. Google Alerts is a powerful tool to identify mentions of your brand across the open web as well as mentions of your configuration files in cracking forums, indicating you may be facing credential stuffing. Early detection of this information can help you determine how to protect your organization, customers and third parties whose credentials may be used to steal valuable data.
4. Monitor mobile application stores. Even if your organization doesn’t have any official mobile applications, threat actors may create them for you. Monitor your brand on Google Play and then expand your monitoring to include third-party stores as well so that you can detect and remove unsanctioned apps.
5. Tap into external expertise. Work with a third-party digital risk provider to monitor your online presence and mitigate these types of risk. They also understand how to navigate takedowns and typically have relationships with law enforcement to help you act swiftly.
Digital risk from brand exposure impacts everyone including the company, the brand, customers, third parties, employees and each of us as individuals. Brand exposure can lead to reputation damage, loss of intellectual property and customer trust and, ultimately, loss in revenue. Fortunately, with brand protection programs that bring together security and marketing teams along with outside expertise as needed, you can identify fake social media profiles, web sites and mobile applications and have them removed before significant damage is done.